what's left in the cookie jar? - eu & us eprivacy laws

Webinar:

What’s Left in The Cookie Jar?

EU & US ePrivacy-what You Need To Know.

Presenters:

Josh Aberant

Privacy Director Marketo Duncan Smith

CEO, iCompli

US & EU privacy rules share a strong

common history – although you

wouldn’t know it looking @ the current

state of privacy protections.

How did we get here? What do you

need to do to protect your business in

the future?

© 2011 Marketo, Inc. Marketo Proprietary and Confidential

Global ‘State-of-Nation’

• “ONLINE TRACKING TECHNOLOGIES HAVE ERODED PRIVACY TO AN UNACCEPTABLE POSITION” • How have the US and EU ..

o Lawmakers

o Technology companies

o Regulators

o Self-regulators

o Marketers

o Individuals

.. reacted, and what are the IMPLICATIONS for marketers?


It’s a simple problem really...

CRM #1

• Target is Male

• Target is 45

• Target reads the

Guardian online

• Target has three

children

• Target’s car insurance

expires on 31.1.12

CRM #2

• Duncan is Male

• Duncan is 45

• Duncan reads the

Guardian online

• Duncan has three

children

• Duncan has purchased

Viagra online

• Duncan’s car insurance

expires on 31.1.12


EU AND US LAW

Compared and contrasted approaches


Framework Directive 2002/21/EC

Access Directive 2002/19/EC

Authorisation Directive 2002/20/EC

Universal Service Directive 2002/22/EC

Directive on privacy and electronic communications 2002/58/EC

Electronic Communications

Framework


Framework Directive 2002/21/EC

Access Directive 2002/19/EC

Authorisation Directive 2002/20/EC

Universal Service Directive 2002/22/EC

Directive on privacy and electronic communications 2002/58/EC

Electronic Communications

Framework

‘Bundled’ into new

Directive

2009/136/EC

‘Citizens’ Rights

Directive Article 5(3)

Confidentiality of

Communications;

Opt-in


Amended UK Law (PEC Regs)

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment--

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.


‘Affirmative Question’ equals

disruption and is bad for business

• DCMS (UK Gov) does NOT propose asking an affirmative question to ‘harvest consent’

• A combination of enhanced browser settings and enhanced information WILL BE SUFFICIENT to meet the requirements of opt-in consent


Amended UK Law, LOTS of words!

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. (4) Paragraph (1) shall not apply to the technical storage of, or access to, information--

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.


Common History

Both EU and US privacy regulations are based on:


Fair Information Practices

• Notice/Awareness (Fundamental Principle) Give consumers notice of an entity's information practices before any personal information is collected from them. (No secret data collection agencies)

• Choice/Consent Giving consumers options as to how any personal information collected from them may be used.

• Access/Participation Give consumers the ability both to access data about him or herself -- i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness.

• Integrity/Security Data should be accurate and secure

• Enforcement/Redress The above core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.


Fair Information Practices in US law

• Privacy Act (1974 - applies to Federal agencies)

• Family Educational Rights & Privacy Act (1974)

• Right to Financial Privacy Act (1978

• Cable Communications Policy Act (1984)

• Electronic Communications Privacy Act (1986)

• Employee Polygraph Act (1988)

• Video Privacy Protection Act (1988)

• Telephone Consumer Protection Act (1991)

• Driver’s Privacy Protection Act (1994)

• Health Insurance Portability & Accountability Act (1996)

• Children’s Online Privacy Act (1998)

• Gramm-Leach-Bliley Act (1999)

• CAN-SPAM (2003)

• Fair & Accurate Credit Transaction Act (2003)


US Law Making

• Senate Bills • John Kerry (D) & John McCain (R)

o The Commercial Privacy Bill of Rights Act of 2011

• Jay Rockefeller (D)

o Do-Not-Track Online Act of 2011

• Jackie Speier (D)

o Do Not Track Me Online Act of 2011

• Politics is Politcs • E.g. Internet Privacy: The Impact and Burden of EU

Regulation

o Sept 15 - the House Subcommittee on Commerce, Manufacturing and Trade

o Chaired by Bono Mack (R)


THE ‘REGULATORS’

Who are they and what are they saying?


EU: Regulators

• WHO: Information Commissioners and the Article 29 working party

• SAYING WHAT: 95/46/EC (The Data Protection Directive) is under review.. • In the reform I [Viviane Reding] wants to introduce four

important changes:

o “Companies outside the EU - if they directly target their activities to EU citizens - will need to abide to the new EU data protection rules”


Article 29 Working Party

• I suggest A29’s Advisory status set to be tested

• Its July 2011 ‘Opinion 15/2011’ sets it on a collision course with Businesses and UK Gov! • whenever consent is required, it must be prior to the data

processing starting

• Consent, based on the lack of individuals' action, for example, through pre-ticked boxes, does not meet the requirements of valid consent under the Directive 95/46/EC.


US Regulators

• FTC • Do Not Track List

• Opt-out of 3rd party tracking

• US Dept of Commerce • Green Paper

• Baseline federal privacy regulation

o No more patchwork of local & state laws

• Enforcement Dept (within Commerce Dept)

• Patchwork of state & local regulators • E.g. Data breach notification regulations are at the state level


US Self Regulators

• OTA – Online Trust Alliance

• IAB - Interactive Advertising Bureau

• NAI - Network Advertising Initiative

• DAA - Digital Advertising Alliance

• BBB - Better Business Bureau

• AAAA - American Association of Advertising Agencies

• TRUSTe

Online Trust Alliance - https://otalliance.org/

https://otalliance.org/

https://otalliance.org/


THE MARKETERS AND CITIZENS

Are they saying anything?


EU: The Marketers

• Any big brands set out their stall yet?


EU: The Citizen

• Emerging qualitative data • Participants were given the

choice to buy a DVD from one of two online stores

• One store consistently required more sensitive personal data than the other

• when prices were identical, participants bought from both shops equally often


THE TECHNOLOGY RESPONSE

What’s being done?


US Technology Response

In many ways the organizations leading current US privacy developments are US technology providers

• Do Not Track (DNT) header • Firefox first…

• then Microsoft…

• then Apple…

• then… (we’re looking @ you Google)

Will Norway based Opera also get with this US program?


Firefox Do Not Track Header


US Technology Response

• Open question on what does DNT mean • No tracking whatsoever

o How do you make web apps and services work? (shopping baskets?)

• Anonymous tracking only

o Still breaks many web apps

o Reduces revenue from ad support content

• No 3rd party tracking

o FTC alignment

o Is this what consumer think?

• Apply opt-outs

o How do we explain this one to consumers?


OUR ADVICE

So what are the implications?

What are our recommendations?


US Marketers – 5 Steps to Be Prepared

1. Define your Do Not Track program

2. Record DNT header meta-data for audit purposes

3. Get Safe Harbor certified

4. Make sure the partners you share data with are Safe Harbor certified

5. Secure your data

o There is no privacy without security

o Security By Design https://otalliance.org/resources/securitybydesign.html


Consumers – 4 Ways To Protect Your

Data

1. Be mindful of what data you share 2. Share the minimum amount of data 3. Clear your personal information

o Search engine history o Web apps history o Locally stored objects (e.g. cookies)

CC Cleaner

4. Keep your computing systems secure o Anti-virus o Anti-spyware o Download and run applications from trusted sources only


Be Mindful of Security

Source

• Corporate culture

• Long-term commitment

• An marketer’s mind set

• Three fundamental truths: • Your data includes some PII

• You will have a data incident

• Data stewardship is everyone’s

responsibility.

Build Trust


Top 3 Things marketers can do now

1. Document a realistic plan to achieve compliance

• Write down .. o What technologies do you employ?

o How intrusive are they (Risk assessment)?

o How will you obtain consent?

2. Identify data partners and ‘get on the same page!’ o Incld. The likes of third party lead forensics, up-sell engines,

data appending services etc.

3. Prepare a business plan for centralised ‘consent management’ • Managing ‘over-riding’ consent could become very important in

the world of ‘DNT’

Thank You

Questions and Answers

#Marketo

Post-webinar discussion http://bit.ly/MarketoChat

Webinar slides and discussion highlights http://linkd.in/marketo-group

#Marketo

http://bit.ly/MarketoChat

http://linkd.in/marketo-group




what's left in the cookie jar? - eu & us eprivacy laws

Business

marketo proprietary

ec directive

ec access directive

ec authorisation directive

ec universal service

new directive

confidential eu

children duncan